(aws-cdk): enable key rotation in bootstrap kms key

[alexbaileyuk]

Describe the feature

There may be a good reason for it, however, key rotation is not enabled on the kms keys created by the cdk bootstrap process. This results in failed security hub checks, config checks etc. If you work in some industries, this may (?) be classed as a security vulnerability assuming that key rotation was a compliance requirement.

For the security hub finding problem, you could automate the suppression of this check or disable it completely but that is not ideal and adds complexity. For compliance requirements, there may not be a way around this.

Use Case

1. Security hub findings and automations are annoying to have to write when the cdk isn't conforming to out-of-the-box requirements set in security hub.
2. Compliance requirements dictate that key rotation is required so the cdk bootstrap cannot be used in the organisation.

Proposed Solution

Enable key rotation for keys created as part of the cdk bootstrap process.

Other Information

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

For all Type: AWS::KMS::Key, add EnableKeyRotation: true.

Cfn docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.41.0

Environment details (OS name and version, etc.)

N/A

[peterwoodworth]

This may not be something we want to have by default due to the increased cost for the user - CDK does not claim to be security hub compliant. Maybe this would work well as a CLI option, @rix0rrr what do you think about this?

Currently, you can customize the bootstrapping experience to suit your needs if the out-of-the-box experience doesn't work for you

[alexbaileyuk]

@peterwoodworth as far as I am aware, there is no additional cost for this feature and the keys already exist.

[rix0rrr]

There is definitely an additional cost:

Key rotation and pricing

AWS KMS charges a monthly fee for each version of key material maintained for your KMS key. For details, see AWS Key Management Service Pricing.

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Effectively, automatically rotating keys cost $1/mo the first year, $2/mo the second year, $3/mo the third year, etc.

That is why we have decided not to turn this on by default. Of course, if you decide that you want this, you can customize the bootstrapping template to turn the feature on.

[rix0rrr]

Although this is a wontfix, we should leave the issue open for other people to find with search.

[alexbaileyuk]

@rix0rrr I didn't realise that KMS key rotation compounded that way. Thanks for looking in to this.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.